SEOUL— Coupang, South Korea’s leading e-commerce platform, is engulfed in a massive data breach scandal after reporting that the personal information of 33.7 million users has been compromised. This colossal breach, which includes names, phone numbers, home addresses, and email addresses, effectively encompasses the data of nearly every active Coupang member and about three-quarters of the entire adult population of South Korea.

The magnitude of the data leak, which was discovered to have been ongoing for five months, has triggered widespread public alarm and severe criticism regarding Coupang's data security protocols. Initially reported on November 20 with a mere 4,500 compromised accounts following a customer complaint, the scope of the breach escalated sharply within nine days, increasing by a staggering 7,500 times to 33.7 million accounts.

Coupang's failure to detect the continuous data theft, which began on June 24, until consumer complaints surfaced, highlights significant deficiencies in its internal surveillance and security systems. "Coupang only became aware of the breach after receiving consumer complaints and investigating them," a representative from the Personal Information Protection Commission (PIPC) stated, underscoring the company’s lax oversight.

The incident is not being primarily attributed to external hacking. Instead, suspicions point to an inside job, allegedly perpetrated by a former Chinese employee who has since resigned and is believed to have left the country. Coupang submitted a complaint to the Seoul Metropolitan Police Agency's Cyber Investigation Unit on November 25 against an "unidentified person," but sources indicate a detailed internal report submitted to the PIPC explicitly outlines circumstantial evidence suggesting the former employee’s involvement.

The government has swiftly responded to the crisis. On November 30, the Deputy Prime Minister and Minister of Science and ICT, Bae Kyung-hoon, chaired an emergency meeting, announcing that the attacker exploited a vulnerability in Coupang’s server authentication to exfiltrate data without proper login credentials. Consequently, the government has declared a three-month period of "Intensified Monitoring of Illegal Personal Information Distribution" to mitigate secondary damage.

In a statement, Coupang CEO Park Dae-joon issued an apology, acknowledging the "inconvenience and concern" caused to customers and vowing to "do [their] best to prevent further damage."

However, security experts argue that Coupang’s growth has come at the expense of robust security measures. Lee Sang-jin, a professor at Korea University's Graduate School of Information Security, pointed out that standard corporate practice involves restricting employee access based on data sensitivity. "The fact that one employee could continuously access massive amounts of data indicates poor internal monitoring and management," Professor Lee noted.

This massive leak not only raises serious concerns about the security of customer information at South Korea's largest e-commerce firm but also casts a shadow over the efficacy of national information protection certifications, which Coupang had previously acquired twice. Consumers are now urged to exercise extreme caution against potential phishing attempts and scams leveraging the exposed data, as authorities and Coupang work to contain the fallout from this unprecedented personal data catastrophe.